arm64: Fix kernel panic in get_arm64_sve during core dump
ClosedPublic
Actions

Authored by wac_gmail.com on Jan 5 2026, 6:17 PM.

Details

Reviewers

andrew
manu

Commits

rG539bbdbd3b0c: arm64: Fix kernel panic in get_arm64_sve during core dump
rGc70a68bbdbf6: arm64: Fix kernel panic in get_arm64_sve during core dump
rG93d3ac1daa0e: arm64: Fix kernel panic in get_arm64_sve during core dump

Summary

The coredump logic calls get_arm64_sve twice: once to get the note size, and once to get the data. The note size calculation depended on the volatile PCB_FP_SVEVALID flag. If this flag was cleared between the two calls (e.g., due to a context switch clearing the flag to comply with the ABI), the second call would expect a smaller buffer size than the first, triggering a KASSERT panic ("invalid size").

Fix this by ensuring the SVE state is saved to the PCB before we decide whether to use SVE or VFP.

PR: 292195

Test Plan

Triggered core dump repro from bug 292177 and observed a good core file and no kernel panic.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

wac_gmail.com created this revision.Jan 5 2026, 6:17 PM

Herald added a reviewer: andrew. · View Herald TranscriptJan 5 2026, 6:17 PM

Herald added a reviewer: andrew. · View Herald Transcript

Herald added a reviewer: manu. · View Herald Transcript

Herald added subscribers: emaste, imp. · View Herald Transcript

wac_gmail.com requested review of this revision.Jan 5 2026, 6:17 PM

Would it be enough to move the td == curthread .. check & call to vfp_save_state before checking for PCB_FP_SVEVALID in line 942?

I don't think moving vfp_save_state(td) is sufficient because of lazy SVE restoration. If the thread hasn't executed SVE instructions since a context switch, the trap to re-enable the unit won't have fired. In that state, vfp_save_state(td) sees the unit as disabled and won't set PCB_FP_SVEVALID and we'll still potentially see this panic. Checking pcb_svesaved != NULL avoids this by checking the backing store directly.

After the first call to vfp_save_state from get_arm64_sve with buf == NULL the PCB_FP_SVEVALID flag will be set correctly based on if pcb_svesaved contains valid data or not (it may be clear if called while in a syscall). If we then context switch then vfp_save_state_switch will exit early as VFP is disabled so PCB_FP_SVEVALID isn't changed & later calls to vfp_save_state will also not change the state.

It's ok to drop the SVE state if the thread is in a system call (other than sigreturn) as the ABI doesn't guarantee it will remain valid.

I tested a patch to move vfp_save_state & haven't hit the KASSERT, even when loading the system down to try cause more context switching.

wac_gmail.com updated this revision to Diff 169935.Sat, Jan 17, 7:55 AM

wac_gmail.com edited the summary of this revision. (Show Details)

wac_gmail.com updated this revision to Diff 169936.Sat, Jan 17, 8:14 AM

wac_gmail.com edited the summary of this revision. (Show Details)

Incorporated your suggested change just moving the vfp_save_state and tested successfully. Thank you for your patience on this.

Can you send ma a git patch with this change? e.g. the output of git format-patch

This revision is now accepted and ready to land.Mon, Jan 19, 12:28 PM

Closed by commit rG93d3ac1daa0e: arm64: Fix kernel panic in get_arm64_sve during core dump (authored by • william.a_carrel.org, committed by andrew). · Explain WhyFri, Jan 30, 5:20 PM

This revision was automatically updated to reflect the committed changes.

andrew added a commit: rG93d3ac1daa0e: arm64: Fix kernel panic in get_arm64_sve during core dump.